We are excited to announce that we have launched our new Hive Community! HiveNation will remain as an archive, but all new posts, discussions, and articles will be created on Hive Community. You can visit our new community at thehivecommunity.aerohive.com

AAA- Multisite

We initially had an installer help us configure our HiveManager, and we had a few offices that connected right off the bat. Going in to find out what they did has been eye-opening.

Our primary SSID is Company_Corp, and it would appear that almost all the AP's have been configured as RADIUS servers. They have similar configurations, but it seems like overkill. We've got 3 locations setup right now, and they pretty much connect back to our DC that sits in a data center.

Additionally, under AAA Client settings of the main client that is configured, under RADIUS servers I have 2 entries, AAAServerMultisite, and AAABackup. These are filled with all the other AP's.

I don't have a lot of APs( 13 ), and I don't have a large amount of users. I haven't had any complaints on speed, but I'm worried that it might be a problem in the future. I have 7 more offices to provision APs to, and I'd rather not continue this trend.

Sorry if I'm talking too much, just finished a training session, and i'm still a little overhwhelmed.

At each remote site, best practice is to have 2 AP's act as radius Servers. Primary1 and Backup1.- All other AP's should be added as NAS Clients so when they query AD, it goes from that AP, to the AP acting as Radius, and then that AP queries the AD/Radius Server. If your AP is setup for Radius, it will have a 3 Circle Icon next to it.

Was there any knowledge transfer from your re-seller? I would definitely ask for it, if you paid for their services. We also do as part as our sign-off process

Thanks for the response, as for the knowledge transfer, I'm sure that it was done, but with an employee that is no longer with us.

The AP's are setup in primary and backup, its just that two of the sites only have two APs, making it look crowded. But its good to know.

Is it also a best practice to do the AAAServerMultisite? I think we are attempting to have a single policy across the company, (of course making sure that VLANS match and such) , perhaps the Multisite is needed in this case?

Looks like this one is just a grouping of the "Primary" RADIUS APs, and the other is a grouping of the backup APs. I've been looking through everything, and I don't actually believe that the tagging is actually referenced anywhere, but I'm sure it was intended to be used. This is the screen after clicking on the RADIUS setting next to the SSID name, and then adding a new entry under RADIUS servers

Geoff - The configuration looks correct so far. They have followed the best practices by condensing network policies, and leveraging the tag functionality. It looks like they configured the sites for survivability in case WAN goes down, so that users can continue to authenticate to the APs.

To ensure the tags are being used correctly. Select a device from the monitor tab, and click 'modify'

Do you see a value in a yellow bubble (above the expanding fields below) that should state the name of the tag? (ex: Plano)

For the next 7 offices, the steps would be as such:

-join new aps to the domain-setup new aps as radius servers-modify AAASERVERMULTISITE to encompass the new tag values / APs and IP addresses-assign tags to new APs